Financial Services Cybersecurity Weekly Briefing 9-15-2017

FTC Opens Probe into Equifax Data BreachThe US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack. Meanwhile, Equifax share prices continued to plummet this week – now 35% lower than before the breach – in an ominous sign of the breach’s potential financial devastation to the credit-monitoring firm.https://www.darkreading.com/attacks-breaches/ftc-opens-probe-into-equifax-data-breach/d/d-id/1329889?

On the Equifax Data Breach
Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html

Equifax Data Breach Could Create Lifelong Identity Theft Threat

“It’s very problematic for hackers to have all that important information all in one place,” says John Ulzheimer, a credit expert who once worked for Equifax and credit-score firm FICO. “This information is perpetually valuable. You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone.”

“Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the Country harmed by Equifax’s failure to adequately protect their credit and personal information. This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” the complaint reads.

The challenges of 23NYCRR and other regulations can certainly be daunting, especially for smaller businesses that may be impacted, but tackling the seemingly insurmountable task of compliance can be achieved if businesses establish and execute against a solid cybersecurity plan. The first steps include designating a CISO and other parties within the organization who are responsible for the security plan and its implementation. Typically, the CISO will work with the Chief Information Officer (CIO) and report to the CEO and board.

Many of these affected consumers are already organizing a massive class-action lawsuit, seeking damages of $70 billion. Equifax’s heartfelt apology from their chairman and CEO, offers people the opportunity to enroll in their subsidiary’s identity monitoring services at no cost for a period of one year. Herein a host of new consumer challenges emerge, especially with the latency of cyber threats, the vast secondary black market where personal data are sold, the lifelong nature of social security numbers and our performance-based credit system.

Equifax has set up a site through which people can check whether they have been affected. Unfortunately for them, they can’t really trust the result of the check – the site will seemingly randomly provide either a confirmation or a denial of whether they’ve been impacted. It seems logical to assume, then, that Equifax doesn’t know which individuals have been affected. Still, they want everybody to sign up for their credit file monitoring and identity theft protection with TrustedID Premier, a credit monitoring service that is also operated by Equifax.

The Israeli Securities Authority (ISA) recently announced that it will establish a committee to review potential regulations for initial coin offerings (ICOs) — a new form of raising capital with digital currency, akin to a stock market’s initial public offering (IPO). […] The Alignment incubator strives to assist, develop and fund “unique and high-quality projects” in Israel’s emerging digital currency ecosystem. The incubator is the collaborative creation of Israeli cryptocurrency investment groups BlockchainIL, CoinTree Capital and Singulariteam.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.